It's been more than two years since Equifax disclosed a data breach that exposed the details of nearly 150 million Americans, and it still ranks as one of the worst security screw-ups of all time. Adding insult to injury, new details have come to light that underscore just how careless Equifax might have been at the time.
A class action lawsuit (PDF) filed in the United States District Court for the Northern District of Georgia, Atlanta Division, alleges Equifax used the default username "admin" to protect a portal used to manage credit disputes. Same goes for the password—at the time of the breach, it too was still the default "admin," according to the lawsuit.
"This portal contained a vast trove of personal information. According to cybersecurity experts, these shortcomings demonstrated 'poor security policy and a lack of due diligence'. Equifax’s authentication practices fell short of the data security standards, which recommend the use of multi-factor authentication," the lawsuit states.
The class-action lawsuit says using the default password "is a surefire way to get hacked." It's certainly boneheaded, if in fact Equifax never bothered to change either the username or password, as the lawsuit alleges.
Other claims of security lapses are made in the lawsuit as well, each representative of a company that "allegedly failed to take some of the most basic precautions to protect its computer systems from hackers."
For example, in addition to the use of "weak passwords and security questions," the lawsuit claims "Equifax relied upon four-digit PINs derived from Social Security numbers and birthdays to guard personal information, despite the fact that these passwords had already been compromised in previous breaches."
According to the lawsuit, a breach of this size "would not have occurred if Equifax had implemented better monitoring systems."
Equifax is one of three major US credit monitoring bureaus. When first disclosing the breach, Equifax said it impacted around 143 million Americans. A year later, however, Equifax said it discovered at least 2.4 million more names that may have potentially been affected as well.
Hopefully this does not become an annual trend, where each year the news gets worse. That may have to wait for 2020, though, if the claims in the lawsuit are accurate.